Address Problem Users for Compliance

Discover how to easily build a role for technical batch or interface users who are very difficult to track — even if they have held SAP_ALL in production for years.

Key Concept

Every company has cross-functional and cross-technical batch users who run jobs to post data and reorganize tables. They are the do-it-all technical users that companies become more and more dependent on over the years. As a result, SAP_ALL is often assigned to them, and once they receive it, those users don’t want to give it up. The SAP_ALL role, which grants all possible SAP authorizations to a user, presents a high compliance risk to companies because it can jeopardize data confidentiality, integrity, and availability.

Sometimes SAP_ALL is just not allowed.

“Ha!” you say. “Of course SAP_ALL is not allowed. Each user should have a specific role with a specific task!” However, as soon as those words leave your lips, you’ve already realized the error. “Oh, right…I forgot about our batch users who span multiple servers and multiple SAP modules, and that WF-BATCH user we’ve never addressed who was assigned SAP_ALL when we first built the SAP instance. But it’s too late to make changes now ¾ besides, it’s only a system user. Nobody can log on with it.”

The above response is common and you’ve likely heard it before. Perhaps the conversation never came to a positive conclusion, tabling the topic indefinitely until someone could find a safe solution. However, auditors today hesitate to allow even non-dialog interface user IDs with such powerful access. Herein lies the problem: How do you create a role for a user with nearly no limits?

The answer is surprisingly simple. I’ll show you how to quickly make sense out of the difficult and complex task of building a role for a privileged batch user. I’ll start with the most complex user of all: WF-BATCH. If you can harness WF-BATCH, then you can easily control all other technical batch users. Most batch users have specific jobs assigned to them. Specific jobs mean a finite number of authorizations that you can plan and implement. WF-BATCH, however, is not so simple. It was once thought that WF-BATCH could only run with SAP_ALL because you cannot predict its access requirements. Compounding the problem, WF-BATCH access requirements can differ for each system and even each client.

Yet, there is a solution.

Would you like to see this full item?

Dylan Hack

Dylan Hack is a senior SAP compliance and authorization consultant with more than 10 years of SAP experience. He has designed custom segregation of duties programs and helps customers achieve pre-audit compliance. Dylan speaks five languages and advises companies in the US, Canada, and Western and Eastern Europe. He holds a bachelor of science degree in information systems from the University of Phoenix.